ideate
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its processing of external context. User-provided topic and context (such as codebase paths or documents) are processed and passed to subagents without sufficient isolation or sanitization.
- Ingestion points: The topic and context parameters in SKILL.md are interpolated into subagent prompts.
- Boundary markers: Absent; the skill does not use delimiters or instructions to ignore embedded commands within the provided context.
- Capability inventory: Shell execution (date), file system access (writing to /tmp), and recursive subagent dispatching.
- Sanitization: Absent; external data is used directly in prompts without validation or escaping.
- [COMMAND_EXECUTION]: The skill uses shell commands (date +%s) to manage timeboxed iterations and compute deadlines based on user-provided durations. This functionality forces the agent to remain in a persistent loop until the deadline passes.
- [COMMAND_EXECUTION]: Automatically writes and updates ideation logs to a globally writable directory (/tmp). The predictable file naming convention (/tmp/ideate--.md) could lead to information disclosure if the skill is used on a shared multi-user system.
Audit Metadata